lumma | 7cb380bb249c35afb4a56dfe8a8dec9a6a87a76c1dc7301d9a4e62eabd03a3d1

Resubmissions

01-04-2023 02:07

230401-ckct9sfc79 10

01-04-2023 02:03

230401-cgrt1sgf2y 7

01-04-2023 01:57

230401-cc9h9sfc42 10

Analysis

max time kernel
131s
max time network
136s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
01-04-2023 02:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Ghast Setup.exe
Size

47.0MB
MD5

aade6b70530baa03c6f520119161d224
SHA1

ba2d3b60a32e5a4ca5033ceb27ef4bc0613086c8
SHA256

7cb380bb249c35afb4a56dfe8a8dec9a6a87a76c1dc7301d9a4e62eabd03a3d1
SHA512

e8d8f3385efa219368d2a153031e0ef934e8c4e480cca22a54be526297e9093acbd6fe5bc4e6c8353c3712612d2b36f7b6f2312e0d182b73a8bba746b7092296
SSDEEP

786432:F1pKaCrTgJhsBqMCiMz0WSt++sQVOcHJ4ok7icr1TEDgvFGv1XqWHb:F6fWwsnSt++tAwq7icnvm

Score

10^/10

lumma discovery stealer

Malware Config

Signatures

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Ghast.exeGhast.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	Ghast.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	Ghast.exe

Executes dropped EXE 8 IoCs

Processes:

Ghast Setup.tmpLoader.exeGhast.exeGhast.exeGhast.exeGhast.exeGhast.exeGhast.exe

pid process

4984 Ghast Setup.tmp
3916 Loader.exe
4928 Ghast.exe
1664 Ghast.exe
4912 Ghast.exe
2664 Ghast.exe
4788 Ghast.exe
4984 Ghast.exe

Loads dropped DLL 33 IoCs

Processes:

Ghast.exeGhast.exeGhast.exeGhast.exeGhast.exeGhast.exe

pid	process
4928	Ghast.exe
4928	Ghast.exe
4928	Ghast.exe
4928	Ghast.exe
4928	Ghast.exe
1664	Ghast.exe
1664	Ghast.exe
1664	Ghast.exe
1664	Ghast.exe
1664	Ghast.exe
1664	Ghast.exe
1664	Ghast.exe
4912	Ghast.exe
4912	Ghast.exe
4912	Ghast.exe
4912	Ghast.exe
4912	Ghast.exe
2664	Ghast.exe
2664	Ghast.exe
2664	Ghast.exe
2664	Ghast.exe
2664	Ghast.exe
4788	Ghast.exe
4788	Ghast.exe
4788	Ghast.exe
4788	Ghast.exe
4788	Ghast.exe
4984	Ghast.exe
4984	Ghast.exe
4984	Ghast.exe
4984	Ghast.exe
4984	Ghast.exe
4788	Ghast.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

Processes:

Ghast.exeGhast.exeGhast.exeGhast.exeGhast.exeGhast.exe

pid process

4928 Ghast.exe
1664 Ghast.exe
4912 Ghast.exe
2664 Ghast.exe
4788 Ghast.exe
4984 Ghast.exe

Suspicious use of SetThreadContext 5 IoCs

Processes:

Ghast.exeGhast.exeGhast.exeGhast.exeGhast.exe

description	pid	process	target process
PID 1664 set thread context of 4928	1664	Ghast.exe	Ghast.exe
PID 4912 set thread context of 4928	4912	Ghast.exe	Ghast.exe
PID 2664 set thread context of 4928	2664	Ghast.exe	Ghast.exe
PID 4788 set thread context of 4928	4788	Ghast.exe	Ghast.exe
PID 4984 set thread context of 4928	4984	Ghast.exe	Ghast.exe

Drops file in Program Files directory 4 IoCs

Processes:

Ghast Setup.tmp

description	ioc	process
File created	C:\Program Files (x86)\Ghast\unins000.dat	Ghast Setup.tmp
File created	C:\Program Files (x86)\Ghast\is-P4D0M.tmp	Ghast Setup.tmp
File created	C:\Program Files (x86)\Ghast\unins000.msg	Ghast Setup.tmp
File opened for modification	C:\Program Files (x86)\Ghast\unins000.dat	Ghast Setup.tmp

Drops file in Windows directory 1 IoCs

Processes:

Ghast.exe

description ioc process

File created C:\Windows\Tasks\Ghast on user logon - Admin.job Ghast.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\Tasks\Ghast on user logon - Admin.job	Ghast.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133247957361356005"	chrome.exe

Suspicious behavior: EnumeratesProcesses 50 IoCs

Processes:

Ghast Setup.tmpchrome.exeGhast.exeGhast.exeGhast.exeGhast.exeGhast.exeGhast.exe

pid	process
4984	Ghast Setup.tmp
4984	Ghast Setup.tmp
916	chrome.exe
916	chrome.exe
4928	Ghast.exe
4928	Ghast.exe
4928	Ghast.exe
4928	Ghast.exe
4928	Ghast.exe
4928	Ghast.exe
1664	Ghast.exe
1664	Ghast.exe
1664	Ghast.exe
1664	Ghast.exe
1664	Ghast.exe
1664	Ghast.exe
1664	Ghast.exe
1664	Ghast.exe
4912	Ghast.exe
4912	Ghast.exe
4912	Ghast.exe
4912	Ghast.exe
4912	Ghast.exe
4912	Ghast.exe
2664	Ghast.exe
2664	Ghast.exe
2664	Ghast.exe
2664	Ghast.exe
2664	Ghast.exe
2664	Ghast.exe
4788	Ghast.exe
4788	Ghast.exe
4788	Ghast.exe
4788	Ghast.exe
4788	Ghast.exe
4788	Ghast.exe
4984	Ghast.exe
4984	Ghast.exe
4984	Ghast.exe
4984	Ghast.exe
4984	Ghast.exe
4984	Ghast.exe
4912	Ghast.exe
4912	Ghast.exe
4984	Ghast.exe
4984	Ghast.exe
2664	Ghast.exe
2664	Ghast.exe
4788	Ghast.exe
4788	Ghast.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

chrome.exe

pid process

916 chrome.exe
916 chrome.exe
916 chrome.exe
916 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	916	chrome.exe
Token: SeCreatePagefilePrivilege	916	chrome.exe
Token: SeShutdownPrivilege	916	chrome.exe
Token: SeCreatePagefilePrivilege	916	chrome.exe
Token: SeShutdownPrivilege	916	chrome.exe
Token: SeCreatePagefilePrivilege	916	chrome.exe
Token: SeShutdownPrivilege	916	chrome.exe
Token: SeCreatePagefilePrivilege	916	chrome.exe
Token: SeShutdownPrivilege	916	chrome.exe
Token: SeCreatePagefilePrivilege	916	chrome.exe
Token: SeShutdownPrivilege	916	chrome.exe
Token: SeCreatePagefilePrivilege	916	chrome.exe
Token: SeShutdownPrivilege	916	chrome.exe
Token: SeCreatePagefilePrivilege	916	chrome.exe
Token: SeShutdownPrivilege	916	chrome.exe
Token: SeCreatePagefilePrivilege	916	chrome.exe
Token: SeShutdownPrivilege	916	chrome.exe
Token: SeCreatePagefilePrivilege	916	chrome.exe
Token: SeShutdownPrivilege	916	chrome.exe
Token: SeCreatePagefilePrivilege	916	chrome.exe
Token: SeShutdownPrivilege	916	chrome.exe
Token: SeCreatePagefilePrivilege	916	chrome.exe
Token: SeShutdownPrivilege	916	chrome.exe
Token: SeCreatePagefilePrivilege	916	chrome.exe
Token: SeShutdownPrivilege	916	chrome.exe
Token: SeCreatePagefilePrivilege	916	chrome.exe
Token: SeShutdownPrivilege	916	chrome.exe
Token: SeCreatePagefilePrivilege	916	chrome.exe
Token: SeShutdownPrivilege	916	chrome.exe
Token: SeCreatePagefilePrivilege	916	chrome.exe
Token: SeShutdownPrivilege	916	chrome.exe
Token: SeCreatePagefilePrivilege	916	chrome.exe
Token: SeShutdownPrivilege	916	chrome.exe
Token: SeCreatePagefilePrivilege	916	chrome.exe
Token: SeShutdownPrivilege	916	chrome.exe
Token: SeCreatePagefilePrivilege	916	chrome.exe
Token: SeShutdownPrivilege	916	chrome.exe
Token: SeCreatePagefilePrivilege	916	chrome.exe
Token: SeShutdownPrivilege	916	chrome.exe
Token: SeCreatePagefilePrivilege	916	chrome.exe
Token: SeShutdownPrivilege	916	chrome.exe
Token: SeCreatePagefilePrivilege	916	chrome.exe
Token: SeShutdownPrivilege	916	chrome.exe
Token: SeCreatePagefilePrivilege	916	chrome.exe
Token: SeShutdownPrivilege	916	chrome.exe
Token: SeCreatePagefilePrivilege	916	chrome.exe
Token: SeShutdownPrivilege	916	chrome.exe
Token: SeCreatePagefilePrivilege	916	chrome.exe
Token: SeShutdownPrivilege	916	chrome.exe
Token: SeCreatePagefilePrivilege	916	chrome.exe
Token: SeShutdownPrivilege	916	chrome.exe
Token: SeCreatePagefilePrivilege	916	chrome.exe
Token: SeShutdownPrivilege	916	chrome.exe
Token: SeCreatePagefilePrivilege	916	chrome.exe
Token: SeShutdownPrivilege	916	chrome.exe
Token: SeCreatePagefilePrivilege	916	chrome.exe
Token: SeShutdownPrivilege	916	chrome.exe
Token: SeCreatePagefilePrivilege	916	chrome.exe
Token: SeShutdownPrivilege	916	chrome.exe
Token: SeCreatePagefilePrivilege	916	chrome.exe
Token: SeShutdownPrivilege	916	chrome.exe
Token: SeCreatePagefilePrivilege	916	chrome.exe
Token: SeShutdownPrivilege	916	chrome.exe
Token: SeCreatePagefilePrivilege	916	chrome.exe

Suspicious use of FindShellTrayWindow 30 IoCs

Processes:

Ghast Setup.tmpchrome.exeLoader.exeGhast.exe

pid	process
4984	Ghast Setup.tmp
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
3916	Loader.exe
3916	Loader.exe
4928	Ghast.exe

Suspicious use of SendNotifyMessage 27 IoCs

Processes:

chrome.exeLoader.exeGhast.exe

pid	process
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
3916	Loader.exe
3916	Loader.exe
4928	Ghast.exe

Suspicious use of SetWindowsHookEx 9 IoCs

Processes:

Loader.exeGhast.exeGhast.exeGhast.exeGhast.exeGhast.exeGhast.exe

pid process

3916 Loader.exe
3916 Loader.exe
4928 Ghast.exe
1664 Ghast.exe
4928 Ghast.exe
4912 Ghast.exe
2664 Ghast.exe
4788 Ghast.exe
4984 Ghast.exe

pid	process
3916	Loader.exe
3916	Loader.exe
4928	Ghast.exe
1664	Ghast.exe
4928	Ghast.exe
4912	Ghast.exe
2664	Ghast.exe
4788	Ghast.exe
4984	Ghast.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Ghast Setup.exechrome.exe

description	pid	process	target process
PID 5068 wrote to memory of 4984	5068	Ghast Setup.exe	Ghast Setup.tmp
PID 5068 wrote to memory of 4984	5068	Ghast Setup.exe	Ghast Setup.tmp
PID 5068 wrote to memory of 4984	5068	Ghast Setup.exe	Ghast Setup.tmp
PID 916 wrote to memory of 1776	916	chrome.exe	chrome.exe
PID 916 wrote to memory of 1776	916	chrome.exe	chrome.exe
PID 916 wrote to memory of 3360	916	chrome.exe	chrome.exe
PID 916 wrote to memory of 3360	916	chrome.exe	chrome.exe
PID 916 wrote to memory of 3360	916	chrome.exe	chrome.exe
PID 916 wrote to memory of 3360	916	chrome.exe	chrome.exe
PID 916 wrote to memory of 3360	916	chrome.exe	chrome.exe
PID 916 wrote to memory of 3360	916	chrome.exe	chrome.exe
PID 916 wrote to memory of 3360	916	chrome.exe	chrome.exe
PID 916 wrote to memory of 3360	916	chrome.exe	chrome.exe
PID 916 wrote to memory of 3360	916	chrome.exe	chrome.exe
PID 916 wrote to memory of 3360	916	chrome.exe	chrome.exe
PID 916 wrote to memory of 3360	916	chrome.exe	chrome.exe
PID 916 wrote to memory of 3360	916	chrome.exe	chrome.exe
PID 916 wrote to memory of 3360	916	chrome.exe	chrome.exe
PID 916 wrote to memory of 3360	916	chrome.exe	chrome.exe
PID 916 wrote to memory of 3360	916	chrome.exe	chrome.exe
PID 916 wrote to memory of 3360	916	chrome.exe	chrome.exe
PID 916 wrote to memory of 3360	916	chrome.exe	chrome.exe
PID 916 wrote to memory of 3360	916	chrome.exe	chrome.exe
PID 916 wrote to memory of 3360	916	chrome.exe	chrome.exe
PID 916 wrote to memory of 3360	916	chrome.exe	chrome.exe
PID 916 wrote to memory of 3360	916	chrome.exe	chrome.exe
PID 916 wrote to memory of 3360	916	chrome.exe	chrome.exe
PID 916 wrote to memory of 3360	916	chrome.exe	chrome.exe
PID 916 wrote to memory of 3360	916	chrome.exe	chrome.exe
PID 916 wrote to memory of 3360	916	chrome.exe	chrome.exe
PID 916 wrote to memory of 3360	916	chrome.exe	chrome.exe
PID 916 wrote to memory of 3360	916	chrome.exe	chrome.exe
PID 916 wrote to memory of 3360	916	chrome.exe	chrome.exe
PID 916 wrote to memory of 3360	916	chrome.exe	chrome.exe
PID 916 wrote to memory of 3360	916	chrome.exe	chrome.exe
PID 916 wrote to memory of 3360	916	chrome.exe	chrome.exe
PID 916 wrote to memory of 3360	916	chrome.exe	chrome.exe
PID 916 wrote to memory of 3360	916	chrome.exe	chrome.exe
PID 916 wrote to memory of 3360	916	chrome.exe	chrome.exe
PID 916 wrote to memory of 3360	916	chrome.exe	chrome.exe
PID 916 wrote to memory of 3360	916	chrome.exe	chrome.exe
PID 916 wrote to memory of 3360	916	chrome.exe	chrome.exe
PID 916 wrote to memory of 3360	916	chrome.exe	chrome.exe
PID 916 wrote to memory of 2196	916	chrome.exe	chrome.exe
PID 916 wrote to memory of 2196	916	chrome.exe	chrome.exe
PID 916 wrote to memory of 1064	916	chrome.exe	chrome.exe
PID 916 wrote to memory of 1064	916	chrome.exe	chrome.exe
PID 916 wrote to memory of 1064	916	chrome.exe	chrome.exe
PID 916 wrote to memory of 1064	916	chrome.exe	chrome.exe
PID 916 wrote to memory of 1064	916	chrome.exe	chrome.exe
PID 916 wrote to memory of 1064	916	chrome.exe	chrome.exe
PID 916 wrote to memory of 1064	916	chrome.exe	chrome.exe
PID 916 wrote to memory of 1064	916	chrome.exe	chrome.exe
PID 916 wrote to memory of 1064	916	chrome.exe	chrome.exe
PID 916 wrote to memory of 1064	916	chrome.exe	chrome.exe
PID 916 wrote to memory of 1064	916	chrome.exe	chrome.exe
PID 916 wrote to memory of 1064	916	chrome.exe	chrome.exe
PID 916 wrote to memory of 1064	916	chrome.exe	chrome.exe
PID 916 wrote to memory of 1064	916	chrome.exe	chrome.exe
PID 916 wrote to memory of 1064	916	chrome.exe	chrome.exe
PID 916 wrote to memory of 1064	916	chrome.exe	chrome.exe
PID 916 wrote to memory of 1064	916	chrome.exe	chrome.exe
PID 916 wrote to memory of 1064	916	chrome.exe	chrome.exe
PID 916 wrote to memory of 1064	916	chrome.exe	chrome.exe

C:\Users\Admin\AppData\Local\Temp\Ghast Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Ghast Setup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5068

C:\Users\Admin\AppData\Local\Temp\is-81322.tmp\Ghast Setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-81322.tmp\Ghast Setup.tmp" /SL5="$9006E,48404993,898048,C:\Users\Admin\AppData\Local\Temp\Ghast Setup.exe"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:4984

C:\Users\Admin\AppData\Local\Programs\Ghast\Loader.exe
"C:\Users\Admin\AppData\Local\Programs\Ghast\Loader.exe"
3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3916

C:\Users\Admin\AppData\Local\Programs\Ghast\Ghast.exe
C:\Users\Admin\AppData\Local\Programs\Ghast\Ghast.exe 9dbec760cb1f6259387d89adf480d75c
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4928

C:\Users\Admin\AppData\Local\Programs\Ghast\Ghast.exe
"C:\Users\Admin\AppData\Local\Programs\Ghast\Ghast.exe" --type=gpu-process --field-trial-handle=1536,18038531796839875519,15330139235703377787,131072 --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Programs\Ghast\debug.log" --log-severity=warning --lang=en-US --disable-gpu disable-software-rasterizer --gpu-preferences=KAAAAAAAAADgAAAwAAAAAAAAYAAAAAAAEAAAAAAAAAAAAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --log-file="C:\Users\Admin\AppData\Local\Programs\Ghast\debug.log" --mojo-platform-channel-handle=1616 /prefetch:2
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1664

C:\Users\Admin\AppData\Local\Programs\Ghast\Ghast.exe
"C:\Users\Admin\AppData\Local\Programs\Ghast\Ghast.exe" --type=utility --field-trial-handle=1536,18038531796839875519,15330139235703377787,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Programs\Ghast\debug.log" --log-severity=warning --lang=en-US --disable-gpu disable-software-rasterizer --log-file="C:\Users\Admin\AppData\Local\Programs\Ghast\debug.log" --mojo-platform-channel-handle=2192 /prefetch:8
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4912

C:\Users\Admin\AppData\Local\Programs\Ghast\Ghast.exe
"C:\Users\Admin\AppData\Local\Programs\Ghast\Ghast.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Programs\Ghast\debug.log" --field-trial-handle=1536,18038531796839875519,15330139235703377787,131072 --lang=en-US --log-file="C:\Users\Admin\AppData\Local\Programs\Ghast\debug.log" --log-severity=warning --disable-gpu disable-software-rasterizer --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=3 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2328 /prefetch:1
5⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2664

C:\Users\Admin\AppData\Local\Programs\Ghast\Ghast.exe
"C:\Users\Admin\AppData\Local\Programs\Ghast\Ghast.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Programs\Ghast\debug.log" --field-trial-handle=1536,18038531796839875519,15330139235703377787,131072 --lang=en-US --log-file="C:\Users\Admin\AppData\Local\Programs\Ghast\debug.log" --log-severity=warning --disable-gpu disable-software-rasterizer --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2320 /prefetch:1
5⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4984

C:\Users\Admin\AppData\Local\Programs\Ghast\Ghast.exe
"C:\Users\Admin\AppData\Local\Programs\Ghast\Ghast.exe" --type=gpu-process --field-trial-handle=1536,18038531796839875519,15330139235703377787,131072 --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Programs\Ghast\debug.log" --log-severity=warning --lang=en-US --disable-gpu disable-software-rasterizer --gpu-preferences=KAAAAAAAAADgAAAwAAAAAAAAYAAAAAAAEAAAAAAAAAAAAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --use-gl=swiftshader-webgl --log-file="C:\Users\Admin\AppData\Local\Programs\Ghast\debug.log" --mojo-platform-channel-handle=1616 /prefetch:2
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4788

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:916

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffae5799758,0x7ffae5799768,0x7ffae5799778
2⤵
PID:1776

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1788 --field-trial-handle=1812,i,5096229935417413624,1011822925618048215,131072 /prefetch:2
2⤵
PID:3360

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 --field-trial-handle=1812,i,5096229935417413624,1011822925618048215,131072 /prefetch:8
2⤵
PID:2196

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2244 --field-trial-handle=1812,i,5096229935417413624,1011822925618048215,131072 /prefetch:8
2⤵
PID:1064

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3220 --field-trial-handle=1812,i,5096229935417413624,1011822925618048215,131072 /prefetch:1
2⤵
PID:3372

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3356 --field-trial-handle=1812,i,5096229935417413624,1011822925618048215,131072 /prefetch:1
2⤵
PID:1456

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4492 --field-trial-handle=1812,i,5096229935417413624,1011822925618048215,131072 /prefetch:1
2⤵
PID:1644

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4672 --field-trial-handle=1812,i,5096229935417413624,1011822925618048215,131072 /prefetch:8
2⤵
PID:4236

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4508 --field-trial-handle=1812,i,5096229935417413624,1011822925618048215,131072 /prefetch:8
2⤵
PID:2500

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4652 --field-trial-handle=1812,i,5096229935417413624,1011822925618048215,131072 /prefetch:1
2⤵
PID:1148

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5468 --field-trial-handle=1812,i,5096229935417413624,1011822925618048215,131072 /prefetch:8
2⤵
PID:1828

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5580 --field-trial-handle=1812,i,5096229935417413624,1011822925618048215,131072 /prefetch:8
2⤵
PID:2452

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5400 --field-trial-handle=1812,i,5096229935417413624,1011822925618048215,131072 /prefetch:8
2⤵
PID:4464

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:5008

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Ghast\unins000.exe
Filesize
3.1MB

MD5
161d1bd06392e424ebf8e4f7971db25b

SHA1
e77ded0d21db752db95dee086137cf138701c99a

SHA256
8c5f29f44a196946191e3ef6f6e8b829c9e6123176b4a4223ada06724471437c

SHA512
e3474f14633de67411ca0e3c26f18b0629b60d6e8f330c71bfadf0a6995cbcf356dc0b063eedd6712a764bfae4ada901ffdcc9285a337a02d045aabcdb4135f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
144B

MD5
cc9377281c1371768487122472414c8b

SHA1
a928e64c098d2f09a7cbb17d8f87faa14668e4a3

SHA256
ebeb5a699d89e1c986ecfcb8f05180677f990f739d7579d4ca6263fc972f2719

SHA512
1d62d27bbed574130c4dc4e9400f13c3124aab11eae68cfb115ab4e338c2d0aed20d7336561c2e1801353115423b19daeb0790e340b0118a49626a19a85807a9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
d58c3bd7066ae3a7f6b3a115f027f897

SHA1
4676c3c11aacb4579ca94aab8927b9a6ebb05a3e

SHA256
00fc36a4544d5bca7524a8179d2f7b2fc78d82d042de0d48310ad6d0d4df8893

SHA512
08ec47842e603eeca3e4efef3a1ca393583de1b4d2aefea39abb1a74b7b4d58c9f9ff8435a1956714aff287c915385b81d1120889649efbf4f8f4a9d59e7f8cf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
539B

MD5
9dc3c6d98fc9933374adfabb5e2a5336

SHA1
3594a63f3eb1cc464ea89ae283c59af48674f634

SHA256
f5ece12e79ecb9f5d0f94f986bfce5545e59bf027655b310ad3e9db1ddc136ad

SHA512
27689e4877c43186780b916735a750a256ccdb19b32622520a8cd28ac67c3241b6fbfbffe5aa8263dccdeca3535e2bcd5a1ae7c4be2e84f034da056fe8d1b309

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
a3e2888df256441a083dd198036f7758

SHA1
6f9eb0b59cc36f911dcada5e691178cd1f0b9a81

SHA256
9ef309d4ede050f3729b59402fddb3371e2db68e01d1c73b8913a04681f834c6

SHA512
7de69aab342e88756a7f0a5c98f8346a2ba4a5930198ccb6fb81cd84da3d5c3f88351e2a5bb63dda41b497e3b6e5ee3033b3974085ed9b123ab8b3fd1bb2637c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
c3ba5b736f517fbbc9a287a54719ef19

SHA1
de86819bb9ac9fb331af1f3084f15b835940cece

SHA256
d09b95dab47230f73d1a7e2fc44f496cf7e9bf9a8ffb3053d69604e60e888cc2

SHA512
cebb695c46230f2299ea6633627ebda6825fa301c6ac1bd9b9f4a814f8b83b4ac2f14427a7d22beb0ddbf7c206c17be787063f5f71ec4da330f2b4e7d9a98a6a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
15KB

MD5
b8e0a5df1920d8368d8cec9014abee60

SHA1
3c1e22691c2330b086b2e79eadf161bcacd8a59a

SHA256
f10de7b3ee56e6a284fb3b6bca4d00c3740ba8b4b66c003dccf835fba1270652

SHA512
72c710c675f4609bcec9bfd13b50a584d7658f37d71be2f208da9303df2b91ed7f87435ccb55371202f78239ffd4222fc434757a7f5a4ef8b3bae128ca410dd8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
173KB

MD5
9bf29073c5b6a9061eade4746981f3dc

SHA1
6141c427de5b98411a48037d1dd71e5b76aedf47

SHA256
7ec1e8aff2501a66677c97858324d65cfa6a4e07050d468442d2b4ab0e3eedb4

SHA512
d1d5e338731a85eb38bb7513b90d9f5fc8682f6c47eae376277ee311519a95dff6af5e640fba018038bf0aae939c2801b1b2cb37bdaed04047b6a5b35797120e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Programs\Ghast\Common.dll
Filesize
527KB

MD5
05a1529dde4639e1f4462c4e3742d5a4

SHA1
783c905a4bd544f881dfe6883f24052bccfa4a14

SHA256
3da58f79c1173a4ad547b409b706c48076230c53c51fe9b95d7428d977d8247c

SHA512
e82933b8065e76e3176b3a1f2ecee0c869933558558001d95638075c1a8cc15c439ba26c90aab9dca7cb11ecd56e5cd6ce065d1c1076cee5f910ef2fe75c1ce6

Download Submit
C:\Users\Admin\AppData\Local\Programs\Ghast\D3DCompiler_47.dll
Filesize
4.1MB

MD5
222d020bd33c90170a8296adc1b7036a

SHA1
612e6f443d927330b9b8ac13cc4a2a6b959cee48

SHA256
4432bbd1a390874f3f0a503d45cc48d346abc3a8c0213c289f4b615bf0ee84f3

SHA512
ad8c7ce7f6f353da5e2cf816e1a69f1ec14011612e8041e4f9bb6ebed3e0fa4e4ebc069155a0c66e23811467012c201893b9b3b7a947d089ce2c749d5e8910c6

Download Submit
C:\Users\Admin\AppData\Local\Programs\Ghast\Ghast.exe
Filesize
4.7MB

MD5
5df04392bc93b32d6db17200d665ef55

SHA1
5d862174d83a653db244b3bf39ce3190e2493639

SHA256
214fd3af555d478fc17fef914fcb882f72d4fc0f82f0ca9f662efdbc11304a34

SHA512
7f1b95e3eeb86dceecab42b7616ee135fe79b7e942561a2270b2241793871135dfa8233aeb9956be4ed646585f3969b1ae70b39044593dcdf082419e8095477a

Download Submit
C:\Users\Admin\AppData\Local\Programs\Ghast\Ghast.exe
Filesize
4.7MB

MD5
5df04392bc93b32d6db17200d665ef55

SHA1
5d862174d83a653db244b3bf39ce3190e2493639

SHA256
214fd3af555d478fc17fef914fcb882f72d4fc0f82f0ca9f662efdbc11304a34

SHA512
7f1b95e3eeb86dceecab42b7616ee135fe79b7e942561a2270b2241793871135dfa8233aeb9956be4ed646585f3969b1ae70b39044593dcdf082419e8095477a

Download Submit
C:\Users\Admin\AppData\Local\Programs\Ghast\Ghast.exe
Filesize
4.7MB

MD5
5df04392bc93b32d6db17200d665ef55

SHA1
5d862174d83a653db244b3bf39ce3190e2493639

SHA256
214fd3af555d478fc17fef914fcb882f72d4fc0f82f0ca9f662efdbc11304a34

SHA512
7f1b95e3eeb86dceecab42b7616ee135fe79b7e942561a2270b2241793871135dfa8233aeb9956be4ed646585f3969b1ae70b39044593dcdf082419e8095477a

Download Submit
C:\Users\Admin\AppData\Local\Programs\Ghast\Ghast.exe
Filesize
4.7MB

MD5
5df04392bc93b32d6db17200d665ef55

SHA1
5d862174d83a653db244b3bf39ce3190e2493639

SHA256
214fd3af555d478fc17fef914fcb882f72d4fc0f82f0ca9f662efdbc11304a34

SHA512
7f1b95e3eeb86dceecab42b7616ee135fe79b7e942561a2270b2241793871135dfa8233aeb9956be4ed646585f3969b1ae70b39044593dcdf082419e8095477a

Download Submit
C:\Users\Admin\AppData\Local\Programs\Ghast\Ghast.exe
Filesize
4.7MB

MD5
5df04392bc93b32d6db17200d665ef55

SHA1
5d862174d83a653db244b3bf39ce3190e2493639

SHA256
214fd3af555d478fc17fef914fcb882f72d4fc0f82f0ca9f662efdbc11304a34

SHA512
7f1b95e3eeb86dceecab42b7616ee135fe79b7e942561a2270b2241793871135dfa8233aeb9956be4ed646585f3969b1ae70b39044593dcdf082419e8095477a

Download Submit
C:\Users\Admin\AppData\Local\Programs\Ghast\Ghast.exe
Filesize
4.7MB

MD5
5df04392bc93b32d6db17200d665ef55

SHA1
5d862174d83a653db244b3bf39ce3190e2493639

SHA256
214fd3af555d478fc17fef914fcb882f72d4fc0f82f0ca9f662efdbc11304a34

SHA512
7f1b95e3eeb86dceecab42b7616ee135fe79b7e942561a2270b2241793871135dfa8233aeb9956be4ed646585f3969b1ae70b39044593dcdf082419e8095477a

Download Submit
C:\Users\Admin\AppData\Local\Programs\Ghast\Ghast.exe
Filesize
4.7MB

MD5
5df04392bc93b32d6db17200d665ef55

SHA1
5d862174d83a653db244b3bf39ce3190e2493639

SHA256
214fd3af555d478fc17fef914fcb882f72d4fc0f82f0ca9f662efdbc11304a34

SHA512
7f1b95e3eeb86dceecab42b7616ee135fe79b7e942561a2270b2241793871135dfa8233aeb9956be4ed646585f3969b1ae70b39044593dcdf082419e8095477a

Download Submit
C:\Users\Admin\AppData\Local\Programs\Ghast\Loader.exe
Filesize
4.8MB

MD5
9dbec760cb1f6259387d89adf480d75c

SHA1
e855453a2fc08fc529dd647d4d2e2c1444b777bb

SHA256
5b0dc69e9ee9aeb6e9ff56cd793ceb567d9e99dd546a9b16fb24e5fb491d40b5

SHA512
2526da3047677dc20d6c7676152aef7f952120073d36ee22c9f0c9735e6325bc7f456145cb56196baf96326bdbc5d2169ce7c0b099be388e1a71469cfa7a374e

Download Submit
C:\Users\Admin\AppData\Local\Programs\Ghast\Loader.exe
Filesize
4.8MB

MD5
9dbec760cb1f6259387d89adf480d75c

SHA1
e855453a2fc08fc529dd647d4d2e2c1444b777bb

SHA256
5b0dc69e9ee9aeb6e9ff56cd793ceb567d9e99dd546a9b16fb24e5fb491d40b5

SHA512
2526da3047677dc20d6c7676152aef7f952120073d36ee22c9f0c9735e6325bc7f456145cb56196baf96326bdbc5d2169ce7c0b099be388e1a71469cfa7a374e

Download Submit
C:\Users\Admin\AppData\Local\Programs\Ghast\Loader.exe
Filesize
4.8MB

MD5
9dbec760cb1f6259387d89adf480d75c

SHA1
e855453a2fc08fc529dd647d4d2e2c1444b777bb

SHA256
5b0dc69e9ee9aeb6e9ff56cd793ceb567d9e99dd546a9b16fb24e5fb491d40b5

SHA512
2526da3047677dc20d6c7676152aef7f952120073d36ee22c9f0c9735e6325bc7f456145cb56196baf96326bdbc5d2169ce7c0b099be388e1a71469cfa7a374e

Download Submit
C:\Users\Admin\AppData\Local\Programs\Ghast\VCRUNTIME140.dll
Filesize
74KB

MD5
a075828073369628bcca8a80fa225744

SHA1
2d576b316860c141d81ba9916d5915aceb336c7e

SHA256
dbc5559ca8d99f045c5511f56a2c4dd156d2672d189935e242284a835c0d7f92

SHA512
f92bc90a1d75268f2961e8a83268afc1efbf1381c884742658bca135367104b148fdbb8c0d643daa10063a98e032bcd7d4da50daebf4fa96e203814030a2c993

Download Submit
C:\Users\Admin\AppData\Local\Programs\Ghast\cef.pak
Filesize
2.0MB

MD5
fadbeb0dfdcf3e3321b954dccd5f2dc9

SHA1
88a3f6ff673a77d613bca4461949c6f8a1208aed

SHA256
b816b4775ad62cfd9b1b8c27446f39dfe06fb5ce8637ce89c7896a4b0095a835

SHA512
644f6af10f991e02b4613cfcb422520c9f39d5de4d9941fbc480716ce96c141875e8477f9b6844d740e164cd055fc0a0246afa0de2939d6636086112007cb0c9

Download Submit
C:\Users\Admin\AppData\Local\Programs\Ghast\cef_100_percent.pak
Filesize
638KB

MD5
d6537d8bd18bea635651fdec3d152909

SHA1
888bd16bbcead51b8968e706eb57177ffcd57227

SHA256
24bc9d0779ee755518702aa8f62c313feaaeee5f85688d9c17d22d0c3a3f0dbc

SHA512
4f9909cdd0199f37e0c5cd64b9cf943e2f6e479243a31fa02456cce0dcbecf4df7dd469e375fad5f823920e1beb5e18bb534d9bdcf039ef1850a0e2220951ebc

Download Submit
C:\Users\Admin\AppData\Local\Programs\Ghast\cef_200_percent.pak
Filesize
789KB

MD5
bd1ce17f9350ac0ee83a350439099526

SHA1
fd9328c6c2b2fb2cb3b877548bcf86afcc65a6a3

SHA256
bbb4fae64ae9a18a3cd27fde9936d0c79b8df03aca7f25043e51ed6d85455e30

SHA512
4b5d31a10ebf5c0d511d4df2ca661a484f2299af93b2cb3c26f54c6d590c972cb4b01f74595575fb51e0da44627463104808e4f16dc6f02c660309d2c77379b0

Download Submit
C:\Users\Admin\AppData\Local\Programs\Ghast\cef_extensions.pak
Filesize
1.7MB

MD5
968fbcb567ad6a183a11511cd9871086

SHA1
a3f74917fc7a78f9a6cdf7d9f69234605c7eeffa

SHA256
85e4c876c03e997833d0859e8ce28df41de458142c4d02e9651686c426ef5a8d

SHA512
2af6d1d6726279a1f6dfbf3968b20d32c5a77bac8bddf01ed24d20b33c1b027baccf3541bc6db8a6ba848de69fc7affc5bb7e30e4d3c2a0ea02d261190795e8c

Download Submit
C:\Users\Admin\AppData\Local\Programs\Ghast\chrome_elf.dll
Filesize
801KB

MD5
b5705e3ab1c96214e454dfb140654bc3

SHA1
39656b014dd9de7a4a2bf74b7f0defd34a83a8c5

SHA256
f63e2dcdc17c94ffa21fd933d4d67f9a15b6f3164d046a480289953a67640ca3

SHA512
eeb22d741e07c1e4e03d9fd642f328147264b6972b382903b31df3c07e92f8b327e4b87d9d2ac59d95872d9c8da37d5772116f0b94c43f5537ed7bc0fd6d2cfb

Download Submit
C:\Users\Admin\AppData\Local\Programs\Ghast\chrome_elf.dll
Filesize
801KB

MD5
b5705e3ab1c96214e454dfb140654bc3

SHA1
39656b014dd9de7a4a2bf74b7f0defd34a83a8c5

SHA256
f63e2dcdc17c94ffa21fd933d4d67f9a15b6f3164d046a480289953a67640ca3

SHA512
eeb22d741e07c1e4e03d9fd642f328147264b6972b382903b31df3c07e92f8b327e4b87d9d2ac59d95872d9c8da37d5772116f0b94c43f5537ed7bc0fd6d2cfb

Download Submit
C:\Users\Admin\AppData\Local\Programs\Ghast\chrome_elf.dll
Filesize
801KB

MD5
b5705e3ab1c96214e454dfb140654bc3

SHA1
39656b014dd9de7a4a2bf74b7f0defd34a83a8c5

SHA256
f63e2dcdc17c94ffa21fd933d4d67f9a15b6f3164d046a480289953a67640ca3

SHA512
eeb22d741e07c1e4e03d9fd642f328147264b6972b382903b31df3c07e92f8b327e4b87d9d2ac59d95872d9c8da37d5772116f0b94c43f5537ed7bc0fd6d2cfb

Download Submit
C:\Users\Admin\AppData\Local\Programs\Ghast\chrome_elf.dll
Filesize
801KB

MD5
b5705e3ab1c96214e454dfb140654bc3

SHA1
39656b014dd9de7a4a2bf74b7f0defd34a83a8c5

SHA256
f63e2dcdc17c94ffa21fd933d4d67f9a15b6f3164d046a480289953a67640ca3

SHA512
eeb22d741e07c1e4e03d9fd642f328147264b6972b382903b31df3c07e92f8b327e4b87d9d2ac59d95872d9c8da37d5772116f0b94c43f5537ed7bc0fd6d2cfb

Download Submit
C:\Users\Admin\AppData\Local\Programs\Ghast\chrome_elf.dll
Filesize
801KB

MD5
b5705e3ab1c96214e454dfb140654bc3

SHA1
39656b014dd9de7a4a2bf74b7f0defd34a83a8c5

SHA256
f63e2dcdc17c94ffa21fd933d4d67f9a15b6f3164d046a480289953a67640ca3

SHA512
eeb22d741e07c1e4e03d9fd642f328147264b6972b382903b31df3c07e92f8b327e4b87d9d2ac59d95872d9c8da37d5772116f0b94c43f5537ed7bc0fd6d2cfb

Download Submit
C:\Users\Admin\AppData\Local\Programs\Ghast\chrome_elf.dll
Filesize
801KB

MD5
b5705e3ab1c96214e454dfb140654bc3

SHA1
39656b014dd9de7a4a2bf74b7f0defd34a83a8c5

SHA256
f63e2dcdc17c94ffa21fd933d4d67f9a15b6f3164d046a480289953a67640ca3

SHA512
eeb22d741e07c1e4e03d9fd642f328147264b6972b382903b31df3c07e92f8b327e4b87d9d2ac59d95872d9c8da37d5772116f0b94c43f5537ed7bc0fd6d2cfb

Download Submit
C:\Users\Admin\AppData\Local\Programs\Ghast\d3dcompiler_47.dll
Filesize
4.1MB

MD5
222d020bd33c90170a8296adc1b7036a

SHA1
612e6f443d927330b9b8ac13cc4a2a6b959cee48

SHA256
4432bbd1a390874f3f0a503d45cc48d346abc3a8c0213c289f4b615bf0ee84f3

SHA512
ad8c7ce7f6f353da5e2cf816e1a69f1ec14011612e8041e4f9bb6ebed3e0fa4e4ebc069155a0c66e23811467012c201893b9b3b7a947d089ce2c749d5e8910c6

Download Submit
C:\Users\Admin\AppData\Local\Programs\Ghast\icudtl.dat
Filesize
10.0MB

MD5
3f019441588332ac8b79a3a3901a5449

SHA1
c8930e95b78deef5b7730102acd39f03965d479a

SHA256
594637e10b8f5c97157413528f0cbf5bc65b4ab9e79f5fa34fe268092655ec57

SHA512
ee083ae5e93e70d5bbebe36ec482aa75c47d908df487a43db2b55ddd6b55c291606649175cf7907d6ab64fc81ead7275ec56e3193b631f8f78b10d2c775fd1a9

Download Submit
C:\Users\Admin\AppData\Local\Programs\Ghast\libcef.dll
Filesize
95.8MB

MD5
07f2b060b5e53c8ac3110bcc3b1a3b76

SHA1
8a0f8ad03d6c422383dd90b24fe5cb0e5a661c4f

SHA256
f069bdf29d6834f5fd5971da127a694897afecc6d0cb9a530bbb66aebcda4409

SHA512
59caae84d966e54d7717335aa22d2ef3bc684f5c26d6b05142f4de18d1de8c75b4f55802228d427aa9fb32ff298a228db220166b654baf5f3c19509a1b20502d

Download Submit
C:\Users\Admin\AppData\Local\Programs\Ghast\libcef.dll
Filesize
95.8MB

MD5
07f2b060b5e53c8ac3110bcc3b1a3b76

SHA1
8a0f8ad03d6c422383dd90b24fe5cb0e5a661c4f

SHA256
f069bdf29d6834f5fd5971da127a694897afecc6d0cb9a530bbb66aebcda4409

SHA512
59caae84d966e54d7717335aa22d2ef3bc684f5c26d6b05142f4de18d1de8c75b4f55802228d427aa9fb32ff298a228db220166b654baf5f3c19509a1b20502d

Download Submit
C:\Users\Admin\AppData\Local\Programs\Ghast\libcef.dll
Filesize
95.8MB

MD5
07f2b060b5e53c8ac3110bcc3b1a3b76

SHA1
8a0f8ad03d6c422383dd90b24fe5cb0e5a661c4f

SHA256
f069bdf29d6834f5fd5971da127a694897afecc6d0cb9a530bbb66aebcda4409

SHA512
59caae84d966e54d7717335aa22d2ef3bc684f5c26d6b05142f4de18d1de8c75b4f55802228d427aa9fb32ff298a228db220166b654baf5f3c19509a1b20502d

Download Submit
C:\Users\Admin\AppData\Local\Programs\Ghast\libcef.dll
Filesize
95.8MB

MD5
07f2b060b5e53c8ac3110bcc3b1a3b76

SHA1
8a0f8ad03d6c422383dd90b24fe5cb0e5a661c4f

SHA256
f069bdf29d6834f5fd5971da127a694897afecc6d0cb9a530bbb66aebcda4409

SHA512
59caae84d966e54d7717335aa22d2ef3bc684f5c26d6b05142f4de18d1de8c75b4f55802228d427aa9fb32ff298a228db220166b654baf5f3c19509a1b20502d

Download Submit
C:\Users\Admin\AppData\Local\Programs\Ghast\libcef.dll
Filesize
95.8MB

MD5
07f2b060b5e53c8ac3110bcc3b1a3b76

SHA1
8a0f8ad03d6c422383dd90b24fe5cb0e5a661c4f

SHA256
f069bdf29d6834f5fd5971da127a694897afecc6d0cb9a530bbb66aebcda4409

SHA512
59caae84d966e54d7717335aa22d2ef3bc684f5c26d6b05142f4de18d1de8c75b4f55802228d427aa9fb32ff298a228db220166b654baf5f3c19509a1b20502d

Download Submit
C:\Users\Admin\AppData\Local\Programs\Ghast\libcef.dll
Filesize
95.8MB

MD5
07f2b060b5e53c8ac3110bcc3b1a3b76

SHA1
8a0f8ad03d6c422383dd90b24fe5cb0e5a661c4f

SHA256
f069bdf29d6834f5fd5971da127a694897afecc6d0cb9a530bbb66aebcda4409

SHA512
59caae84d966e54d7717335aa22d2ef3bc684f5c26d6b05142f4de18d1de8c75b4f55802228d427aa9fb32ff298a228db220166b654baf5f3c19509a1b20502d

Download Submit
C:\Users\Admin\AppData\Local\Programs\Ghast\libcef.dll
Filesize
95.8MB

MD5
07f2b060b5e53c8ac3110bcc3b1a3b76

SHA1
8a0f8ad03d6c422383dd90b24fe5cb0e5a661c4f

SHA256
f069bdf29d6834f5fd5971da127a694897afecc6d0cb9a530bbb66aebcda4409

SHA512
59caae84d966e54d7717335aa22d2ef3bc684f5c26d6b05142f4de18d1de8c75b4f55802228d427aa9fb32ff298a228db220166b654baf5f3c19509a1b20502d

Download Submit
C:\Users\Admin\AppData\Local\Programs\Ghast\libsodium.dll
Filesize
328KB

MD5
d07628811c6c2a042d9d5849c5e6d5d3

SHA1
58b9687050a1808e71288241c25c68b82d0e03e6

SHA256
0c91e8be0548203978caeb8dd02a3db31c69e9b4bbfc13f768e39fe2b1486ddf

SHA512
0f489aa068539905bd29a5243d8639297e261111e900955147900a222bbe62f01081edb078626677af828481c88a28fad754018427a2cb1b168c690487976df1

Download Submit
C:\Users\Admin\AppData\Local\Programs\Ghast\libsodium.dll
Filesize
328KB

MD5
d07628811c6c2a042d9d5849c5e6d5d3

SHA1
58b9687050a1808e71288241c25c68b82d0e03e6

SHA256
0c91e8be0548203978caeb8dd02a3db31c69e9b4bbfc13f768e39fe2b1486ddf

SHA512
0f489aa068539905bd29a5243d8639297e261111e900955147900a222bbe62f01081edb078626677af828481c88a28fad754018427a2cb1b168c690487976df1

Download Submit
C:\Users\Admin\AppData\Local\Programs\Ghast\libsodium.dll
Filesize
328KB

MD5
d07628811c6c2a042d9d5849c5e6d5d3

SHA1
58b9687050a1808e71288241c25c68b82d0e03e6

SHA256
0c91e8be0548203978caeb8dd02a3db31c69e9b4bbfc13f768e39fe2b1486ddf

SHA512
0f489aa068539905bd29a5243d8639297e261111e900955147900a222bbe62f01081edb078626677af828481c88a28fad754018427a2cb1b168c690487976df1

Download Submit
C:\Users\Admin\AppData\Local\Programs\Ghast\libsodium.dll
Filesize
328KB

MD5
d07628811c6c2a042d9d5849c5e6d5d3

SHA1
58b9687050a1808e71288241c25c68b82d0e03e6

SHA256
0c91e8be0548203978caeb8dd02a3db31c69e9b4bbfc13f768e39fe2b1486ddf

SHA512
0f489aa068539905bd29a5243d8639297e261111e900955147900a222bbe62f01081edb078626677af828481c88a28fad754018427a2cb1b168c690487976df1

Download Submit
C:\Users\Admin\AppData\Local\Programs\Ghast\libsodium.dll
Filesize
328KB

MD5
d07628811c6c2a042d9d5849c5e6d5d3

SHA1
58b9687050a1808e71288241c25c68b82d0e03e6

SHA256
0c91e8be0548203978caeb8dd02a3db31c69e9b4bbfc13f768e39fe2b1486ddf

SHA512
0f489aa068539905bd29a5243d8639297e261111e900955147900a222bbe62f01081edb078626677af828481c88a28fad754018427a2cb1b168c690487976df1

Download Submit
C:\Users\Admin\AppData\Local\Programs\Ghast\libsodium.dll
Filesize
328KB

MD5
d07628811c6c2a042d9d5849c5e6d5d3

SHA1
58b9687050a1808e71288241c25c68b82d0e03e6

SHA256
0c91e8be0548203978caeb8dd02a3db31c69e9b4bbfc13f768e39fe2b1486ddf

SHA512
0f489aa068539905bd29a5243d8639297e261111e900955147900a222bbe62f01081edb078626677af828481c88a28fad754018427a2cb1b168c690487976df1

Download Submit
C:\Users\Admin\AppData\Local\Programs\Ghast\locales\en-US.pak
Filesize
201KB

MD5
ca71b35dd44d9949f8d7f1f47f6e274b

SHA1
7614f231538628f56cbde317495d6ffe95f8900a

SHA256
a4a1b7c72a6cf829e9f023a8673ceff385931e22fc5c23c361d8f43448b95ebc

SHA512
000017ebc7fbb3cfbc5837107795130b1c2916e8fcb3f35ebd010352921d3d8eb45a8d3ecf9a395b3409881440497c453efab9edbee0cd886bb9be848698255e

Download Submit
C:\Users\Admin\AppData\Local\Programs\Ghast\v8_context_snapshot.bin
Filesize
541KB

MD5
87e39a722b1469f1f19f456e6b7f93ad

SHA1
4c07e2fcf21a1925049ca34f26c2572daeeba4cb

SHA256
23e7f749ee278ffb21a9f109e860f99a2ded13ad6ffdefd16b069559e8e40cf7

SHA512
086bbd50394b11bf148922a1ac9881328842f3041093f95d6bb1cc57e64d73801c6b5e41deb43dcca3e22f10f65c88388d4300e185c639f28da33f4a0e8b30d6

Download Submit
C:\Users\Admin\AppData\Local\Programs\Ghast\vcruntime140.dll
Filesize
74KB

MD5
a075828073369628bcca8a80fa225744

SHA1
2d576b316860c141d81ba9916d5915aceb336c7e

SHA256
dbc5559ca8d99f045c5511f56a2c4dd156d2672d189935e242284a835c0d7f92

SHA512
f92bc90a1d75268f2961e8a83268afc1efbf1381c884742658bca135367104b148fdbb8c0d643daa10063a98e032bcd7d4da50daebf4fa96e203814030a2c993

Download Submit
C:\Users\Admin\AppData\Local\Programs\Ghast\vcruntime140.dll
Filesize
74KB

MD5
a075828073369628bcca8a80fa225744

SHA1
2d576b316860c141d81ba9916d5915aceb336c7e

SHA256
dbc5559ca8d99f045c5511f56a2c4dd156d2672d189935e242284a835c0d7f92

SHA512
f92bc90a1d75268f2961e8a83268afc1efbf1381c884742658bca135367104b148fdbb8c0d643daa10063a98e032bcd7d4da50daebf4fa96e203814030a2c993

Download Submit
C:\Users\Admin\AppData\Local\Programs\Ghast\vcruntime140.dll
Filesize
74KB

MD5
a075828073369628bcca8a80fa225744

SHA1
2d576b316860c141d81ba9916d5915aceb336c7e

SHA256
dbc5559ca8d99f045c5511f56a2c4dd156d2672d189935e242284a835c0d7f92

SHA512
f92bc90a1d75268f2961e8a83268afc1efbf1381c884742658bca135367104b148fdbb8c0d643daa10063a98e032bcd7d4da50daebf4fa96e203814030a2c993

Download Submit
C:\Users\Admin\AppData\Local\Programs\Ghast\vcruntime140.dll
Filesize
74KB

MD5
a075828073369628bcca8a80fa225744

SHA1
2d576b316860c141d81ba9916d5915aceb336c7e

SHA256
dbc5559ca8d99f045c5511f56a2c4dd156d2672d189935e242284a835c0d7f92

SHA512
f92bc90a1d75268f2961e8a83268afc1efbf1381c884742658bca135367104b148fdbb8c0d643daa10063a98e032bcd7d4da50daebf4fa96e203814030a2c993

Download Submit
C:\Users\Admin\AppData\Local\Programs\Ghast\vcruntime140.dll
Filesize
74KB

MD5
a075828073369628bcca8a80fa225744

SHA1
2d576b316860c141d81ba9916d5915aceb336c7e

SHA256
dbc5559ca8d99f045c5511f56a2c4dd156d2672d189935e242284a835c0d7f92

SHA512
f92bc90a1d75268f2961e8a83268afc1efbf1381c884742658bca135367104b148fdbb8c0d643daa10063a98e032bcd7d4da50daebf4fa96e203814030a2c993

Download Submit
C:\Users\Admin\AppData\Local\Programs\Ghast\vcruntime140.dll
Filesize
74KB

MD5
a075828073369628bcca8a80fa225744

SHA1
2d576b316860c141d81ba9916d5915aceb336c7e

SHA256
dbc5559ca8d99f045c5511f56a2c4dd156d2672d189935e242284a835c0d7f92

SHA512
f92bc90a1d75268f2961e8a83268afc1efbf1381c884742658bca135367104b148fdbb8c0d643daa10063a98e032bcd7d4da50daebf4fa96e203814030a2c993

Download Submit
C:\Users\Admin\AppData\Local\Programs\Ghast\zlib1.dll
Filesize
76KB

MD5
590f948143d93691efdee479d459944e

SHA1
0a93952856d28509793d56cde7b999f4c3502a91

SHA256
ee192eba2020707d56bf9e51c30d878636576d0c4481252a19a6da771841502e

SHA512
75fcc3e37e713f46bbe2abcd6dca8b413353cdffa96595d10b04c01210f3c5b91f98d51ee8aa1920feac2a085eeac144241bd2b639cc266be2a248b9e07c245a

Download Submit
C:\Users\Admin\AppData\Local\Programs\Ghast\zlib1.dll
Filesize
76KB

MD5
590f948143d93691efdee479d459944e

SHA1
0a93952856d28509793d56cde7b999f4c3502a91

SHA256
ee192eba2020707d56bf9e51c30d878636576d0c4481252a19a6da771841502e

SHA512
75fcc3e37e713f46bbe2abcd6dca8b413353cdffa96595d10b04c01210f3c5b91f98d51ee8aa1920feac2a085eeac144241bd2b639cc266be2a248b9e07c245a

Download Submit
C:\Users\Admin\AppData\Local\Programs\Ghast\zlib1.dll
Filesize
76KB

MD5
590f948143d93691efdee479d459944e

SHA1
0a93952856d28509793d56cde7b999f4c3502a91

SHA256
ee192eba2020707d56bf9e51c30d878636576d0c4481252a19a6da771841502e

SHA512
75fcc3e37e713f46bbe2abcd6dca8b413353cdffa96595d10b04c01210f3c5b91f98d51ee8aa1920feac2a085eeac144241bd2b639cc266be2a248b9e07c245a

Download Submit
C:\Users\Admin\AppData\Local\Programs\Ghast\zlib1.dll
Filesize
76KB

MD5
590f948143d93691efdee479d459944e

SHA1
0a93952856d28509793d56cde7b999f4c3502a91

SHA256
ee192eba2020707d56bf9e51c30d878636576d0c4481252a19a6da771841502e

SHA512
75fcc3e37e713f46bbe2abcd6dca8b413353cdffa96595d10b04c01210f3c5b91f98d51ee8aa1920feac2a085eeac144241bd2b639cc266be2a248b9e07c245a

Download Submit
C:\Users\Admin\AppData\Local\Programs\Ghast\zlib1.dll
Filesize
76KB

MD5
590f948143d93691efdee479d459944e

SHA1
0a93952856d28509793d56cde7b999f4c3502a91

SHA256
ee192eba2020707d56bf9e51c30d878636576d0c4481252a19a6da771841502e

SHA512
75fcc3e37e713f46bbe2abcd6dca8b413353cdffa96595d10b04c01210f3c5b91f98d51ee8aa1920feac2a085eeac144241bd2b639cc266be2a248b9e07c245a

Download Submit
C:\Users\Admin\AppData\Local\Programs\Ghast\zlib1.dll
Filesize
76KB

MD5
590f948143d93691efdee479d459944e

SHA1
0a93952856d28509793d56cde7b999f4c3502a91

SHA256
ee192eba2020707d56bf9e51c30d878636576d0c4481252a19a6da771841502e

SHA512
75fcc3e37e713f46bbe2abcd6dca8b413353cdffa96595d10b04c01210f3c5b91f98d51ee8aa1920feac2a085eeac144241bd2b639cc266be2a248b9e07c245a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-81322.tmp\Ghast Setup.tmp
Filesize
3.1MB

MD5
161d1bd06392e424ebf8e4f7971db25b

SHA1
e77ded0d21db752db95dee086137cf138701c99a

SHA256
8c5f29f44a196946191e3ef6f6e8b829c9e6123176b4a4223ada06724471437c

SHA512
e3474f14633de67411ca0e3c26f18b0629b60d6e8f330c71bfadf0a6995cbcf356dc0b063eedd6712a764bfae4ada901ffdcc9285a337a02d045aabcdb4135f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-81322.tmp\Ghast Setup.tmp
Filesize
3.1MB

MD5
161d1bd06392e424ebf8e4f7971db25b

SHA1
e77ded0d21db752db95dee086137cf138701c99a

SHA256
8c5f29f44a196946191e3ef6f6e8b829c9e6123176b4a4223ada06724471437c

SHA512
e3474f14633de67411ca0e3c26f18b0629b60d6e8f330c71bfadf0a6995cbcf356dc0b063eedd6712a764bfae4ada901ffdcc9285a337a02d045aabcdb4135f6

Download Submit
\??\pipe\crashpad_916_CDHRNXQKQXUHYANE
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/4984-253-0x0000000000400000-0x0000000000723000-memory.dmp

Filesize
3.1MB

Download
memory/4984-168-0x0000000000400000-0x0000000000723000-memory.dmp

Filesize
3.1MB

Download
memory/4984-262-0x0000000000400000-0x0000000000723000-memory.dmp

Filesize
3.1MB

Download
memory/4984-142-0x0000000000D20000-0x0000000000D21000-memory.dmp

Filesize
4KB

Download
memory/4984-141-0x0000000000400000-0x0000000000723000-memory.dmp

Filesize
3.1MB

Download
memory/4984-139-0x0000000000D20000-0x0000000000D21000-memory.dmp

Filesize
4KB

Download
memory/5068-263-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/5068-140-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/5068-133-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download